[PATCH 2.4] fix ipt_REJECT when used in OUTPUT

[PATCH 2.4] fix ipt_REJECT when used in OUTPUT

[Harald Welte]

[-- Attachment #1.1: Type: text/plain, Size: 764 bytes --]

Hi Dave!

Some people use REJECT in the OUTPUT chain (rejecting locally generated
packets).  This didn't work anymore starting with some fixes we did in 2.4.22. 
A dst_entry for a local source doesn't contain pmtu information - and
thus the newly-created packet would instantly be dropped again.

I'll send you a 2.6.x merge for this later.

Please apply the following fix, thanks

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #1.2: 75_REJECT_localpmtu-fix.patch --]
[-- Type: text/plain, Size: 847 bytes --]

diff -Nru --exclude .depend --exclude '*.o' --exclude '*.ko' --exclude '*.ver' --exclude '.*.flags' --exclude '*.orig' --exclude '*.rej' --exclude '*.cmd' --exclude '*.mod.c' --exclude '*~' linux-2.4.22/net/ipv4/netfilter/ipt_REJECT.c linux-2.4.22-rejectfix/net/ipv4/netfilter/ipt_REJECT.c
--- linux-2.4.22/net/ipv4/netfilter/ipt_REJECT.c	2003-08-25 13:44:44.000000000 +0200
+++ linux-2.4.22-rejectfix/net/ipv4/netfilter/ipt_REJECT.c	2003-09-21 16:39:25.000000000 +0200
@@ -186,8 +186,8 @@
 	nskb->nh.iph->check = ip_fast_csum((unsigned char *)nskb->nh.iph, 
 					   nskb->nh.iph->ihl);
 
-	/* "Never happens" */
-	if (nskb->len > nskb->dst->pmtu)
+	/* dst->pmtu can be zero because it is not set for local dst's */
+	if (nskb->dst->pmtu && nskb->len > nskb->dst->pmtu)
 		goto free_nskb;
 
 	connection_attach(nskb, oldskb->nfct);

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [PATCH 2.4] fix ipt_REJECT when used in OUTPUT

[David S. Miller]

On Sun, 21 Sep 2003 16:40:13 +0200
Harald Welte <laforge@netfilter.org> wrote:

> Some people use REJECT in the OUTPUT chain (rejecting locally generated
> packets).  This didn't work anymore starting with some fixes we did in 2.4.22. 
> A dst_entry for a local source doesn't contain pmtu information - and
> thus the newly-created packet would instantly be dropped again.

Applied to 2.4.x, thanks Harald.

Re: [PATCH 2.4] fix ipt_REJECT when used in OUTPUT

[Diadon]

That patch is not work, after patching the kernel problem is not 
disappeared!

Patch by Patrick is working fine and fix this problem


Harald Welte wrote:

>Hi Dave!
>
>Some people use REJECT in the OUTPUT chain (rejecting locally generated
>packets).  This didn't work anymore starting with some fixes we did in 2.4.22. 
>A dst_entry for a local source doesn't contain pmtu information - and
>thus the newly-created packet would instantly be dropped again.
>
>I'll send you a 2.6.x merge for this later.
>
>Please apply the following fix, thanks
>
>  
>
>------------------------------------------------------------------------
>
>diff -Nru --exclude .depend --exclude '*.o' --exclude '*.ko' --exclude '*.ver' --exclude '.*.flags' --exclude '*.orig' --exclude '*.rej' --exclude '*.cmd' --exclude '*.mod.c' --exclude '*~' linux-2.4.22/net/ipv4/netfilter/ipt_REJECT.c linux-2.4.22-rejectfix/net/ipv4/netfilter/ipt_REJECT.c
>--- linux-2.4.22/net/ipv4/netfilter/ipt_REJECT.c	2003-08-25 13:44:44.000000000 +0200
>+++ linux-2.4.22-rejectfix/net/ipv4/netfilter/ipt_REJECT.c	2003-09-21 16:39:25.000000000 +0200
>@@ -186,8 +186,8 @@
> 	nskb->nh.iph->check = ip_fast_csum((unsigned char *)nskb->nh.iph, 
> 					   nskb->nh.iph->ihl);
> 
>-	/* "Never happens" */
>-	if (nskb->len > nskb->dst->pmtu)
>+	/* dst->pmtu can be zero because it is not set for local dst's */
>+	if (nskb->dst->pmtu && nskb->len > nskb->dst->pmtu)
> 		goto free_nskb;
> 
> 	connection_attach(nskb, oldskb->nfct);
>  
>
>------------------------------------------------------------------------
>
>Scanned by evaliation version of Dr.Web antivirus Daemon 
>http://drweb.ru/unix/
>
>  
>

Re: [PATCH 2.4] fix ipt_REJECT when used in OUTPUT

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 677 bytes --]

On Mon, Sep 22, 2003 at 12:16:50PM +0400, Diadon wrote:
> That patch is not work, after patching the kernel problem is not 
> disappeared!
> 
> Patch by Patrick is working fine and fix this problem

David, pleas defer applying that patch until further testing is done.

Sorry for the confusion.

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [PATCH 2.4] fix ipt_REJECT when used in OUTPUT

[David S. Miller]

On Mon, 22 Sep 2003 10:53:26 +0200
Harald Welte <laforge@netfilter.org> wrote:

> David, pleas defer applying that patch until further testing is done.
> 
> Sorry for the confusion.

Already pushed to Marcelo, just send me the fix I should apply
on top once you have this issue solved.

Re: [PATCH 2.4] fix ipt_REJECT when used in OUTPUT

[Diadon]

David S. Miller wrote:

>On Mon, 22 Sep 2003 10:53:26 +0200
>Harald Welte <laforge@netfilter.org> wrote:
>
>  
>
>>David, pleas defer applying that patch until further testing is done.
>>
>>Sorry for the confusion.
>>    
>>
>
>Already pushed to Marcelo, just send me the fix I should apply
>on top once you have this issue solved.
>
>
>  
>
So we're waiting final release of this patch ;)))

Re: [PATCH 2.4] fix ipt_REJECT when used in OUTPUT

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 2586 bytes --]

On Mon, Sep 22, 2003 at 02:02:05AM -0700, David S. Miller wrote:
 
> Already pushed to Marcelo, just send me the fix I should apply
> on top once you have this issue solved.

Ok, here goes the (confirmed to be working) fix. TIA.

diff -Nru linux-2.4.22-laforge/net/ipv4/netfilter/ipt_REJECT.c linux-2.4.22-kaber/net/ipv4/netfilter/ipt_REJECT.c
--- linux-2.4.22-laforge/net/ipv4/netfilter/ipt_REJECT.c	2003-09-22 14:29:05.000000000 +0200
+++ linux-2.4.22-kaber/net/ipv4/netfilter/ipt_REJECT.c	2003-09-22 14:26:54.000000000 +0200
@@ -34,16 +34,17 @@
 		attach(new_skb, nfct);
 }
 
-static inline struct rtable *route_reverse(struct sk_buff *skb, int local)
+static inline struct rtable *route_reverse(struct sk_buff *skb, int hook)
 {
 	struct iphdr *iph = skb->nh.iph;
 	struct dst_entry *odst;
 	struct rt_key key = {};
 	struct rtable *rt;
 
-	if (local) {
+	if (hook != NF_IP_FORWARD) {
 		key.dst = iph->saddr;
-		key.src = iph->daddr;
+		if (hook == NF_IP_LOCAL_IN)
+			key.src = iph->daddr;
 		key.tos = RT_TOS(iph->tos);
 
 		if (ip_route_output_key(&rt, &key) != 0)
@@ -75,7 +76,7 @@
 }
 
 /* Send RST reply */
-static void send_reset(struct sk_buff *oldskb, int local)
+static void send_reset(struct sk_buff *oldskb, int hook)
 {
 	struct sk_buff *nskb;
 	struct tcphdr *otcph, *tcph;
@@ -104,7 +105,7 @@
 			 csum_partial((char *)otcph, otcplen, 0)) != 0)
 		return;
 
-	if ((rt = route_reverse(oldskb, local)) == NULL)
+	if ((rt = route_reverse(oldskb, hook)) == NULL)
 		return;
 
 	hh_len = (rt->u.dst.dev->hard_header_len + 15)&~15;
@@ -186,8 +187,8 @@
 	nskb->nh.iph->check = ip_fast_csum((unsigned char *)nskb->nh.iph, 
 					   nskb->nh.iph->ihl);
 
-	/* dst->pmtu can be zero because it is not set for local dst's */
-	if (nskb->dst->pmtu && nskb->len > nskb->dst->pmtu)
+	/* "Never happens" */
+	if (nskb->len > nskb->dst->pmtu)
 		goto free_nskb;
 
 	connection_attach(nskb, oldskb->nfct);
@@ -372,7 +373,7 @@
 		send_unreach(*pskb, ICMP_PKT_FILTERED);
 		break;
 	case IPT_TCP_RESET:
-		send_reset(*pskb, hooknum == NF_IP_LOCAL_IN);
+		send_reset(*pskb, hooknum);
 	case IPT_ICMP_ECHOREPLY:
 		/* Doesn't happen. */
 		break;
-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [PATCH 2.4] fix ipt_REJECT when used in OUTPUT

[David S. Miller]

On Mon, 22 Sep 2003 14:21:59 +0200
Harald Welte <laforge@netfilter.org> wrote:

> On Mon, Sep 22, 2003 at 02:02:05AM -0700, David S. Miller wrote:
>  
> > Already pushed to Marcelo, just send me the fix I should apply
> > on top once you have this issue solved.
> 
> Ok, here goes the (confirmed to be working) fix. TIA.

Applied, thanks.

Re: [PATCH 2.4] fix ipt_REJECT when used in OUTPUT

[Patrick McHardy]

Harald Welte wrote:

>David, pleas defer applying that patch until further testing is done.
>
>Sorry for the confusion.
>

My bad, I missed that we cannot pass the packet to ip_finish_output2
since it was routed as local input and is missing a neighbour. The correct
fix is to use ip_route_output for packets generated in LOCAL_OUT with
key.saddr set to 0 (the first one I sent to Diadon).

Best regards,
Patrick